Trail of Online Clues Lead to Zotob Suspects

eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The arrests of two men in connection with the recent Zotob worm followed an intensive investigation by Microsoft Corp., which was aided by a trail of online clues left by the men, those familiar with the investigation said.

The FBI last week confirmed the arrests of Farid Essebar, 18, of Morocco, and Atilla Ekici, 21, of Turkey, in connection with the recent Zotob Internet worm, and Mytob, another wide-spreading worm that first appeared in February.

/zimages/2/28571.gifMicrosoft has shipped a Zotob zapper. Click here to read more.

The arrests were a major victory for law enforcement, which likely followed a trail of clues left by two men convinced they were beyond the reach of Western law enforcement, according to Joe Stewart, senior security researcher at Lurhq Corp., in Chicago.

Authorities in Morocco and Turkey arrested Essebar, who uses the online name “Diabl0,” and Ekici, who is known as “Coder,” with help from the FBI and Microsoft, according to Brad Smith, senior vice president and general counsel at Microsoft.

The men are believed responsible for the two worms that used vulnerabilities in Microsofts Windows operating system to infect computers worldwide and install remote control, or bot, software that allows remote attackers to control the system using IRC (Internet Relay Chat).

Essebar is believed to have written both worms. Ekici may have paid him to use the worms, according to Louis Reigel, assistant director of the FBIs Cyber Division.

On Tuesday, Moroccan authorities told the FBI that 16 more people were arrested in connection with the Zotob worm, according to Reigel. The FBI has not commented on that.

The quick arrests surprised many in the security community, where months or years sometimes pass before a worm or virus author is brought to justice—in the minority of cases where any author is found.

/zimages/2/28571.gifClick here to take a peek inside Microsofts Zotob situation room.

But Zotob and Mytob offered a gold mine of clues to curious researchers, experts agree.

The online names of both men appear in messages buried in early versions of Zotob and frequently show up in Mytob variants as well, said Mikko Hyppönen, manager of anti-virus research at F-Secure Corp., in Helsinki, Finland.

For example, machines infected by Zotob.A, the original version of the worm, connected to an IRC server called “diabl0.turkcoders.net” and contained the words “Greetz to good friend Coder.”

Variants of Mytob also contained references to the hacker groups the men frequented, such as 0x90-Team, Hyppönen said.

Investigators who dug a bit deeper might have discovered information that pointed to the particular individuals, such as a DNS (Domain Name System) registration for turkcoders.net that also referenced a domain named ataturk.atilla.ekici.net, the real name of Coder, said Stewart.

Smith, of Microsoft, said that the arrests were noteworthy because authorities were able to act quickly despite working across countries and continents.

In fact, Essebar and Ekici may have gotten sloppy because they believed that they were beyond the reach of law enforcement, Stewart said.

“Theyve been doing the botnet thing for a few years and nobody in Turkey and Morocco cared,” Stewart said.

That, combined with the unexpected success and notoriety of Zotob, which infected major news organizations such as Cable News Network LP, LLLP; ABC Inc.; and The New York Times, not to mention SBC Communications Inc. and DaimlerChrysler, put the two men in the cross hairs of international law enforcement, Stewart said.

/zimages/2/28571.gifTo read more about DaimlerChrysler worm attacks, click here.

“I think they underestimated the impact that Zotob would have and Microsofts willingness to invest the time and resources to track them down,” Stewart said.

While Stewart and Hyppönen praised the quick arrests, both noted that there are countless other worms and viruses, including more than 70 new creations that exploit the same Windows hole as Zotob, for which no arrests have been announced.

“For me, its just disappointing that the threshold [of damage] is so high for action to be taken,” Stewart said.

Hot on the trail of Zotob

Security experts were shocked when Microsoft and the FBI announced arrests in the Zotob case less than two weeks after the worm first appeared, but investigators had plenty to work with, including:

* Virus writer “shout-outs” Zotob.A contained a buried message “Greetz to good friend Coder.”

* Vanity domains The names of the suspected Zotob and Mytob authors were used in the domain names assigned to IRC servers used to control machines infected by the worms, such as “diabl0.turkcoders.net” and “ilovediabl0.net.”

* Domain registrations Most DNS registrations for some of the vanity domains used bogus information, but a close inspection yielded clues that may have helped investigators, such as the e-mail address masteratilla@yahoo.com, part of the name of Atilla Ekici, aka “Coder,” one of two men charged last week with creating Zotob and Mytob.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.